Analysis
-
max time kernel
162s -
max time network
182s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 11:16
Static task
static1
Behavioral task
behavioral1
Sample
04cce4ea3ff059b51f1382f1559199ee5fd76ac87add8de34b67e2c258e9b310.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
04cce4ea3ff059b51f1382f1559199ee5fd76ac87add8de34b67e2c258e9b310.exe
Resource
win10v2004-en-20220113
General
-
Target
04cce4ea3ff059b51f1382f1559199ee5fd76ac87add8de34b67e2c258e9b310.exe
-
Size
216KB
-
MD5
c9676d9aad72714d64a8b93fe5fe3e9a
-
SHA1
6d553a2b3bb8ac39bd32b6973106e6651ecc0440
-
SHA256
04cce4ea3ff059b51f1382f1559199ee5fd76ac87add8de34b67e2c258e9b310
-
SHA512
2a0be0f57aedfee9a41fd5032e1e45817c9667e9f23ac6b652dd10d9168be34634b69fc8356baeeb4e087dbab32b734b0ceb8242e5a8e7b56ef0d7930b1b0f17
Malware Config
Signatures
-
Sakula Payload 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula behavioral1/memory/1576-58-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula behavioral1/memory/1048-59-0x0000000000400000-0x0000000000420000-memory.dmp family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1048 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 828 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
04cce4ea3ff059b51f1382f1559199ee5fd76ac87add8de34b67e2c258e9b310.exepid process 1576 04cce4ea3ff059b51f1382f1559199ee5fd76ac87add8de34b67e2c258e9b310.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
04cce4ea3ff059b51f1382f1559199ee5fd76ac87add8de34b67e2c258e9b310.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 04cce4ea3ff059b51f1382f1559199ee5fd76ac87add8de34b67e2c258e9b310.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
04cce4ea3ff059b51f1382f1559199ee5fd76ac87add8de34b67e2c258e9b310.exedescription pid process Token: SeIncBasePriorityPrivilege 1576 04cce4ea3ff059b51f1382f1559199ee5fd76ac87add8de34b67e2c258e9b310.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
04cce4ea3ff059b51f1382f1559199ee5fd76ac87add8de34b67e2c258e9b310.execmd.exedescription pid process target process PID 1576 wrote to memory of 1048 1576 04cce4ea3ff059b51f1382f1559199ee5fd76ac87add8de34b67e2c258e9b310.exe MediaCenter.exe PID 1576 wrote to memory of 1048 1576 04cce4ea3ff059b51f1382f1559199ee5fd76ac87add8de34b67e2c258e9b310.exe MediaCenter.exe PID 1576 wrote to memory of 1048 1576 04cce4ea3ff059b51f1382f1559199ee5fd76ac87add8de34b67e2c258e9b310.exe MediaCenter.exe PID 1576 wrote to memory of 1048 1576 04cce4ea3ff059b51f1382f1559199ee5fd76ac87add8de34b67e2c258e9b310.exe MediaCenter.exe PID 1576 wrote to memory of 828 1576 04cce4ea3ff059b51f1382f1559199ee5fd76ac87add8de34b67e2c258e9b310.exe cmd.exe PID 1576 wrote to memory of 828 1576 04cce4ea3ff059b51f1382f1559199ee5fd76ac87add8de34b67e2c258e9b310.exe cmd.exe PID 1576 wrote to memory of 828 1576 04cce4ea3ff059b51f1382f1559199ee5fd76ac87add8de34b67e2c258e9b310.exe cmd.exe PID 1576 wrote to memory of 828 1576 04cce4ea3ff059b51f1382f1559199ee5fd76ac87add8de34b67e2c258e9b310.exe cmd.exe PID 828 wrote to memory of 1600 828 cmd.exe PING.EXE PID 828 wrote to memory of 1600 828 cmd.exe PING.EXE PID 828 wrote to memory of 1600 828 cmd.exe PING.EXE PID 828 wrote to memory of 1600 828 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\04cce4ea3ff059b51f1382f1559199ee5fd76ac87add8de34b67e2c258e9b310.exe"C:\Users\Admin\AppData\Local\Temp\04cce4ea3ff059b51f1382f1559199ee5fd76ac87add8de34b67e2c258e9b310.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1576 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1048 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\04cce4ea3ff059b51f1382f1559199ee5fd76ac87add8de34b67e2c258e9b310.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:828 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1600
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
5ca79c01e088d44170a127176b998a7f
SHA1077f31a145a7521f852d3b43f8313aa4468fc013
SHA256da4375e3ac359973de2468fe8651c89c5171aa3fbe6cef4a17a1a15c1980680f
SHA512ae58db20c707897749a0d8279c336092a8f00c3d29c58a5f2719402cac0ca0566b25c260ee334ac37a99d8e04f384fd632806ec6b71374dc6c55ca15bf5c5d90
-
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeMD5
5ca79c01e088d44170a127176b998a7f
SHA1077f31a145a7521f852d3b43f8313aa4468fc013
SHA256da4375e3ac359973de2468fe8651c89c5171aa3fbe6cef4a17a1a15c1980680f
SHA512ae58db20c707897749a0d8279c336092a8f00c3d29c58a5f2719402cac0ca0566b25c260ee334ac37a99d8e04f384fd632806ec6b71374dc6c55ca15bf5c5d90
-
memory/1048-59-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1576-54-0x00000000754B1000-0x00000000754B3000-memory.dmpFilesize
8KB
-
memory/1576-58-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB